After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA). To avoid compliance risks associated with illegal transfers of personal data, any old SCCs should be updated to their newer version immediately.
Who Is Affected?
Mainly, the following entities are affected:
- any EEA company (or other entity) that is part of a global group of companies and shares personal data (e.g., HR data) with non-EEA members of that group, and cannot rely entirely on other legitimation for such data transfers pursuant to the General Data Protection Regulation (GDPR);
- any EEA company (or other entity) that receives services or otherwise has vendors from outside the EEA where such services imply any sharing of personal data which cannot entirely be based on other legitimation for such data transfers pursuant to GDPR;
- any non-EEA company (or other entity) that is part of a global group of companies and receives personal data (e.g., HR data) from EEA members of that group, and cannot rely entirely on other legitimation for such data transfers pursuant to GDPR;
- any non-EEA company (or other entity) that provides services or is otherwise a vendor to an EEA entity where such services imply any sharing of personal data which cannot entirely be based on other legitimation for such data transfers pursuant to GDPR;
- any EEA company (or other entity), or any non-EEA company (or other entity) which previously signed SCCs to legitimize the sharing or the transfer of personal data, and where such SCCs have not yet been replaced by, or in first place been entered into according to, the most recent form for SCCs provided by the EU Commission in 2021.
- Note that not just cross-border sharing/transfer is affected, but also onward transfer outside the EEA.
Please note: “EEA” includes the member states of the EU plus Iceland, Liechtenstein, and Norway.
SCCs are certain standardized contract clauses that legalize personal data transfers to, or data sharing with, entities established in countries outside the EEA. They are one way to legalize such data transfer to, and within countries that the EU Commission has not recognized as having a comparable standard of data protection as the EU (the list of countries granted such approval includes, inter alia, the UK, Japan, Canada, South Korea, Switzerland, Israel, and New Zealand). While there are other means to legalize such data transfers (e.g., so-called “binding corporate rules”), SCCs are easy to use by companies of all sizes and therefore most common.
Following a July 16, 2020, European Court of Justice (ECJ) ruling (“Schrems II”), the EU Commission published and adopted a new version of the SCCs on June 4, 2021 (see GT Alert). Use of these “new” SCCs has been mandatory for new contracts since Sept. 27, 2021. “Old” SCCs entered into before that date remain valid until Dec. 27, 2022. However, starting from Dec. 27,2022, personal data transfers to “unsafe” countries outside the EEA may only be based on the new SCCs.
Also, the new SCCs require a “Transfer Impact Assessment” (TIA), in which the data exporter assesses the concrete risks of a given transfer, and if the exporter identifies significant risks, additional measures that ensure the safety of the data must be implemented.
Considerations for Before the Deadline Expires
If you have already entered into old SCCs, identify which (cross-border or onward) data transfers require the new SCCs.
If you have not concluded any SCCs, identify data transfers to or within “unsafe” third countries that require the new SCCs (or other means to legitimize the transfer).
In both cases, contact your contracting party to conclude new SCCs.
In both cases, ensure that a TIA is conducted and documented regarding each such data transfer.
To the extent your contract also involves a cross-border or onward transfer of UK personal data, consider including the UK International Data Transfer Agreement or the UK International Data Transfer Addendum to the EU’s SCCs. Although organizations have until 21 March 2024 to update contracts involving UK personal data that rely on the old SCCs, including the new UK transfer mechanisms now could prevent yet another round of contract updates in 2024.